From 6247d1c3f73bab8fccd7b0d608d1a0aaf07fecdb Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Mon, 20 Jun 2022 10:08:26 +0200
Subject: executor: fix enabling of ICMP/ping sockets

net/ipv4/ping_group_range sysctl grants access to ICMP sockets
to the specified user groups. But it needs to be set inside
of the net namespace (it's per-namespace).
We were setting it but in the init namespace only (which we don't use).
Set it after CLONE_NEWNET. This repairs testing of ICMP sockets.

Note: don't set it for setuid sandbox since it's "low privilege".
---
 pkg/csource/generated.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'pkg/csource')

diff --git a/pkg/csource/generated.go b/pkg/csource/generated.go
index bfd60f23e..e78362b29 100644
--- a/pkg/csource/generated.go
+++ b/pkg/csource/generated.go
@@ -8439,6 +8439,7 @@ static int do_sandbox_none(void)
 	if (unshare(CLONE_NEWNET)) {
 		debug("unshare(CLONE_NEWNET): %d\n", errno);
 	}
+	write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535");
 #if SYZ_EXECUTOR || SYZ_DEVLINK_PCI
 	initialize_devlink_pci();
 #endif
@@ -8535,6 +8536,7 @@ static int namespace_sandbox_proc(void* arg)
 #endif
 	if (unshare(CLONE_NEWNET))
 		fail("unshare(CLONE_NEWNET)");
+	write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535");
 #if SYZ_EXECUTOR || SYZ_DEVLINK_PCI
 	initialize_devlink_pci();
 #endif
@@ -9834,7 +9836,6 @@ static void setup_sysctl()
 		{"/proc/sys/vm/oom_dump_tasks", "0"},
 		{"/proc/sys/debug/exception-trace", "0"},
 		{"/proc/sys/kernel/printk", "7 4 1 3"},
-		{"/proc/sys/net/ipv4/ping_group_range", "0 65535"},
 		{"/proc/sys/kernel/keys/gc_delay", "1"},
 		{"/proc/sys/vm/oom_kill_allocating_task", "1"},
 		{"/proc/sys/kernel/ctrl-alt-del", "0"},
-- 
cgit mrf-deployment